Your security team needs to implement a defense-in-depth strategy for a sensitive Cloud Storage bucket in Project A with these requirements:

• The bucket must only be readable from Project B.
• The bucket must not be accessible from outside the VPC network.
• Data in the bucket must be prevented from being copied to an external Cloud Storage bucket.

What steps should the security team take?